secp256k1-node allows private key extraction over ECDH

Severity:: High

Description

In elliptic-based version, loadUncompressedPublicKey has a check that the public key is on the curve: https://github.com/cryptocoinjs/secp256k1-node/blob/6d3474b81d073cc9c8cc8cfadb580c84f8df5248/lib/elliptic.js#L37-L39

loadCompressedPublicKey is, however, missing that check: https://github.

Recommendation

Update the secp256k1 package to the latest compatible version. Followings are version details:

Affected version(s): **<= 3.8.0 >= 4.0.0, < 4.0.4 = 5.0.0**
Patched version(s): **3.8.1 4.0.4 5.0.1**

References

GHSA-584q-6j8j-r5pm
CVE-2024-48930
CWE-200
CWE-354
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6

Related Issues

Regular Expression Denial of Service (ReDoS) in lodash - CVE-2020-28500
Payload's SQLite adapter Session Fixation vulnerability - CVE-2025-4644
Elliptic's verify function omits uniqueness validation - CVE-2024-48949
KaTeX's maxExpand bypassed by Unicode sub/superscripts - CVE-2024-28244

Tags:: npm; secp256k1

Anything's wrong? Let us know Last updated on October 21, 2024